Skip to content

Latest commit

 

History

History
64 lines (41 loc) · 3.97 KB

partitioned-cache.md

File metadata and controls

64 lines (41 loc) · 3.97 KB

+++ title = "Partitioned HTTP Cache" description = "" date = "2020-07-21" category = "defenses" menu = "main" +++

Explanation

Cache probing attacks have been present on the web for a long time mainly because browsers HTTP cache is shared across all the websites visited by a user, allowing attackers to interact with it and infer private information from other origins.

Considering Opt-in solutions, applications can use the Vary Header combined with Fetch-Metadata to prevent cross-origin fetches to be affected by the site cache or use [some workarounds]({{< ref "../design-protections/subresource-protections.md" >}}) to protect resources, which come with downsides. Browsers, however, have been planning a defense mechanism to segregate the cached resources per origin/site, making it impossible for attackers pages to interact with cached contents of different origins1 2 3. Specifically, browsers tested caching with finer-grained keys such as the tuple <top-frame origin, URL> or even triples of values.

{{< hint info >}} Chrome 1 and Firefox 2 are still discussing an implementation for a Multi-Keyed Cache while Safari 3 already runs a version of it since 2013.

Relevant Projects

Intelligent Tracking Prevention

Intelligent Tracking Prevention (ITP) is a privacy feature part of WebKit. It's a conjunction of several tracking prevention features containing a partitioned HTTP Cache which originated from the initial WebKit Keyed cache from 2013. The used keys for the cache are the top frame's eTLD+1 and the origin of each fetched subresource.

{{< hint warning >}} Researchers found out attackers could abuse some ITP features to infer private user data. {{< /hint >}}

First Party Isolation

First Party Isolation is a Browser Extension for Firefox which restricts access to cookies and persistent data (e.g cache) per domain.

Considerations

Partitioned HTTP caches are a promising security feature that will eventually land in browsers. These partitioning strategies will mitigate all the XS-Leaks leveraging browsers caches and might be extended to other browser resources which help mitigate resilient attack vectors like the Socket Exhaustion XS-Leak.

XS-Leaks Mitigation Overview

XS-Leak Partitioned Cache Mitigation Full Mitigation
[Frame Counting]({{< ref "../../attacks/frame-counting.md" >}})
[Navigations]({{< ref "../../attacks/navigations.md" >}})
[ID Leaks]({{< ref "../../attacks/id-attribute.md" >}})

Table Legend

  • Partitioned Cache Protection - At least one attack alternative of the XS-Leak can be mitigated
  • Full Mitigation - Fully mitigates an XS-Leak

Footnotes

  1. Split Disk Cache Meta Bug (Blink), link 2

  2. Top-level site partitioning (Gecko), link 2

  3. Optionally partition cache to prevent using cache for tracking (Webkit), link {{< /hint >}} 2